Safely storing html rails

Question

I have a rails 4 app where I am storing urls in a database. When rails escapes it, the link is no longer usable when I try to call it again.

So I use:

<%= @product.url.html_safe %>

But isn't vulnerable to XSS? I read up on raw() as well but it seems to the do the same thing as html_safe?

score 1 · Accepted Answer · edited May 23 '17 at 12:27

1

You could potentially use URI.parse to ensure the URL is being escaped:

<%= URI.parse @product.url %>

However, this is best placed inside a validation:

Rails: What's a good way to validate links (URLs)?

edited May 23 '17 at 12:27

Community

1
1

answered May 19 '14 at 22:19

Kevin Sylvestre

37,288
33
152
232

score 1 · Answer 2 · answered May 19 '14 at 22:24

If I were you I would add validation on url to ensure it is valid url:

class Product < AR::Base
  validate :valid_url

  private

  def valid_url
    return if url.blank? || !url_changed
    URI.parse url
  rescue URI::InvalidURIError
    errors.add :url, :invalid
  end
end

With this in place you can be sure there are no XSS possibilities.

Safely storing html rails

2 Answers2